Posted: Fri Feb 09, 2018 5:57 Post subject: [SOLVED] Access Restrictions don't work
I blocked the internet access to a device that makes no sense to have access to the network. The blocking rule is regularly active but I noticed that the device accesses the internet, I see it from the LEDs.
I blocked the device both as an IP and as a MAC.
Tips?
Last edited by Frakko on Fri Feb 09, 2018 18:39; edited 1 time in total
Not sure I'd depend on flashing LEDs to determine if any given device is accessing the internet. It might very well hit the WAN, trigger the LED, but get blocked at that point.
What kind of device? Does it have a UI where you can more easily tell if it's accessing the internet?
AR (Access Restrictions) is known to not be very good. It's grown a bit outdated over the years. For a problem like this, it might just be easier to use some firewall rules and add them to the firewall script.
If we assume the device has the local IP 192.168.1.100 ...
Code:
iptables -I FORWARD -s 192.168.1.100 -j REJECT
Create a static lease on the GUI that maps its MAC address to that IP so it never changes. Make sure the static lease IP is *outside* the scope of the DHCP pool!
Is this problem also due to the impossibility of restricting access to the webgui through a specific MAC?
I inserted the modules indicated in "start" and entered the iptables rule in the firewall.
There is something wrong with the rule. In fact I can access from all the devices to the dd-wrt menu while from the pc with the indicated mac I can not navigate.
I removed the rule and the pc surfs regularly.
Can you verify the rule please?
Thank you.
Be careful w/ this one. If you get the MAC address wrong, then you'll lock yourself out of the GUI completely, since every other MAC address will be rejected! You might want to test this using a shell (telnet/ssh) first. If you accidentally get locked out, you can simply reboot and start over. Once you know it to be working, only *then* should you install it in the firewall script.
One other precaution. If by chance the client in question happens to be behind a client bridge or repeater bridge, you'll probably have to specify the MAC address of the wireless client on that bridge, NOT the actual client. Whenever you use a wireless bridge, it masks the MAC address of the clients behind it w/ its own MAC address. So it's a bit trickery to configure. If this doesn't apply to you, don't worry about it.
I have done various tests but, my router is a TpLink-1043ND v3, but access continues to be allowed by all devices.
I think it's a bug.